Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

A Plan to Stop Fast Flux Networks Begins to Form - Page 2

WEBINAR:On-Demand

At least the report explicitly recognized the heart of the purpose of fast flux for illicit purposes: It prolongs the life of an attack. The report cites a paper by Tyler Moore and Richard Clayton of Cambridge as measuring that fast flux attacks last at least twice as long as non-flux attacks.

ICANN's work in this is hardly the first attempt to study fast flux networking or how to stop it. The ubiquitous Gadi Evron started a conversation on the subject three years ago (work that was not credited in the ICANN report-for shame, for shame...). I was in on the discussions then and it was clear that the main obstacle in taking down such networks was lazy and/or complicit domain name registrars, although many registrars were and still are responsive to responsible reports of abuse from responsible agencies. Organizations Evron was involved with had success in taking down some networks, not so much others. The ICANN report states that "[N]o registrar has been prosecuted for facilitating criminal activities related to fast flux domains, but there have been reports linking one ICANN-accredited registrar to a large number of fraudulent domains including fast flux domains." I'm not at all surprised.

"The report may say that registrars and resellers only "have the appearance of facilitation of fast flux domain attacks", but the fact is that they have created an environment that invites abuse. They too often simply do not maintain staff and policies adequate to prevent even the most blatant abuses from taking place."

Personally, I think it's worse than this. I know from personal experience that some registrars ignore clear evidence of abuse unless they're forced to react.

Further reading

Absent any crackdown on registrars, it's worth noting that the function of quick take-downs could be performed effectively at the registry level. I've always like this approach because it's so efficient, but there doesn't seem to be a lot of stomach for it. Ideally you'd only want to have a registry take down a domain when the registrar, the company with whom the registrant has a relationship, is unresponsive. If they're that unresponsive to a clear policy process (none of which exists yet, of course) then things are bad and they deserve serious scrutiny.

I asked Gadi Evron about all this again and he reminded me that there are responsible registrars and registries out there: "I am pleased with ICANN's continuing work on this subject, which I've had the pleasure to help initiate with Steve Crocker a couple of years ago. While their progress is essential, the part of the [registrar] industry which sees the need has not been waiting for consensus, and takes care of these issues under their own authority." Unfortunately, one bad, unresponsive registrar can do a lot of damage.

The working group does list "accelerated domain suspension processing in collaboration with certified investigators/responders" as one of the possible ways to work on the problem. Staying conservative about things, as ICANN is often inclined to do, this is the best we could hope for. And if there are teeth in the policy to enforce these rules it could make a practical difference. This is what we were talking about three years ago with Gadi Evron's group. But this approach was not the conclusion of the group; we're still too early in the ICANN process to go that far. It's just one of the proposed reactions. The "Interim Conclusions" of the report are (unsurprisingly) that more study is needed. That's something that anyone can say if they don't think that hardened networks of malicious systems are an urgent problem.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.